Application proxy conclusions


PF/Kernel interfaces
divert-to is the preferred interface for most proxies or NAT helpers.
Socket splicing allows to switch to high speed forwarding.
divert-packet works for IDS/IPS.
bpf exists for legacy software and special cases.

Userland implementations
NAT helpers such as ftp-proxy are working well.
relayd is a powerful tool that was written to "extend PF in userland".
relayd's new filter rules will make it even better.
We will support a few more protocols as proxies or directly in relayd.